Wednesday, April 8, 2009

Checking Software Package Digital Signatures

One very effective use for digital signatures is to verify that a software package has not been tampered with. A software package could be intercepted in transmission and some of its system-level files changed or substituted. Software packages from your distribution, as well as those by reputable GNU and Linux projects, are digitally signed. The signature provides modification digest information with which to check the integrity of the package. The digital signature may be included with the package file or posted as a separate file. To import a key that APT can use to check a software package, you use the apt-key command. APT will automatically check for digital signatures. To check the digital signature of a software package file that is not part of the APT repository system, you use the gpg command with the --verify option. These would include packages such as those made available as compressed archives, .tar.gz, whereas APT can check all DEB packages itself.

Importing Software Public Keys with apt-key
First, however, you will need to make sure that you have the signer’s public key. The digital signature was encrypted with the software distributor’s private key; that distributor is the signer. Once you have that signer’s public key, you can check any data you receive from them. In the case of third-party software repositories, you have to install their public key. Once the key is installed, you do not have to install it again.

Ubuntu includes and installs its public keys with its distribution. For any packages on the Ubuntu repositories, the needed public keys are already installed and checked by APT automatically. For other sites, such as Wine (the Linux Windows emulator), you may need to download the public key from its site and install it ( You may also have to add repository support to access its Ubuntu compatible software. The Wine public key is available from the site, with the public key for Ubuntu located at You could download the public key and then install it on your system with the apt-key command. The following downloads the Wine public key:

wget -q

Once the public key is downloaded, you can then use the apt-key command to install it for use by APT in software verification. Ubuntu uses the apt-key command to maintain public keys for software packages. Use the command with the add option to add the key:

sudo apt-key add 387EE263.gpg

To access the software repository, you would also have to install its APT configuration file in the /etc/apt/sources.list.d directory. For Wine, this is named Check the Wine site for download instructions.

Checking Software Compressed Archives
Many software packages in the form of compressed archives, .tar.gz or tar.bz2, will provide signatures in separate files that end with the .sig extension. To check these, use the gpg command with the --verify option. For example, the most recent Sendmail package is distributed in the form of a compressed archive, .tar.gz. Its digital signature is provided in a separate .sig file. First you download and install the public key for Sendmail software obtained from the Sendmail Web site (the key may have the year as part of its name). Sendmail has combined all its keys into one armored text file, PGPKEYS. You can download and then import the key file with gpg.

gpg --import PGPKEYS

You can also use the gpg command with the --search-key and –keyserver options to import the key. Keys matching the search term will be displayed in a numbered list. You will be prompted to enter the number of the key you want. The 2007 Sendmail key that results from the following example would be 7. This is the key used for 2007 released software.

$ gpg --keyserver --search-keys Sendmail

Instead of using gpg you could use the Encryptions and Password Keys application to find and import the key (choose Applications Accessories Encryption and Password Keys).

To check a software archive, tar.gz file, you also need to download its digital signature files. For the compressed archive (.tar.gz) you can use the .sig file ending in .gz.sig, and for the uncompressed archive use .tar.sig. Then, with the gpg command and the --verify option, use the digital signature in the .sig file to check the authenticity and integrity of the software compressed archive:

$ gpg --verify sendmail.8.14.2.tar.gz.sig sendmail.8.14.2.tar.gz
gpg: Signature made Wed 31 Oct 2007 08:23:07 PM PDT using RSA key ID 7093B841
gpg: Good signature from "Sendmail Signing Key/2007 "$

You can also specify just the signature file, and gpg will automatically search for and select a file of the same name, but without the .sig or .asc extension:

# gpg --verify sendmail.8.14.2.tar.gz.sig

In the future, when you download any software from the Sendmail site that uses this key, you simply have to perform the --verify operation. Bear in mind, though, that different software packages from the same site may use different keys. You will have to make sure that you have imported and signed the appropriate key for the software you are checking.

Source of Information : McGraw Hill Ubuntu The Complete Reference

No comments: